1 / 45

Die strongSwan Open Source VPN Lösung Open Source Trend Days 2013 Steinfurt strongswan

Die strongSwan Open Source VPN Lösung Open Source Trend Days 2013 Steinfurt www.strongswan.org. Prof. Andreas Steffen Institute for Internet Technologies and Applications HSR Hochschule für Technik Rapperswil andreas.steffen@hsr.ch. Wo um Gottes Willen liegt Rapperswil ?.

smoffett
Download Presentation

Die strongSwan Open Source VPN Lösung Open Source Trend Days 2013 Steinfurt strongswan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Die strongSwan Open SourceVPN LösungOpen Source Trend Days 2013 Steinfurtwww.strongswan.org Prof. Andreas Steffen Institute for Internet Technologies andApplications HSR Hochschule für Technik Rapperswil andreas.steffen@hsr.ch

  2. Wo um Gottes Willen liegt Rapperswil?

  3. HSR - Hochschule für Technik Rapperswil • Fachhochschule mit ca. 1500 Studierenden • Studiengang für Informatik (300-400 Studierende) • Bachelorstudium (3 Jahre), Masterstudium (+1.5 Jahre)

  4. Die strongSwan Open SourceVPN LösungOpen Source Trend Days 2013 Steinfurt Das strongSwan Projekt

  5. FreeS/WAN 1.x 1999 2000 X.509 1.x Patch  2004 FreeS/WAN 2.x Super FreeS/WAN 2003 X.509 2.x Patch Openswan 1.x The strongSwan Open Source VPN Project 2004 Openswan 2.x strongSwan 2.x 2005 IKEv2 RFC 4306 ITA IKEv2 Project … IKEv1 & partial IKEv2 New architecture,same config. strongSwan 4.x 2012 strongSwan 5.x IKEv1 & IKEv2 Monolithic IKE Daemon

  6. strongSwan – the Open Source VPN Solution strongSwanClient Windows ActiveDirectory Server LinuxFreeRadiusServer CampusNetwork High-AvailabilitystrongSwanVPN Gateway Internet Windows 7/8Agile VPN Client strongswan.hsr.ch

  7. Supported Operating Systems andPlatforms • Supported Operating Systems • Linux 2.6.x, 3.x (optional integrationintoNetworkManager) • Android 4.x App (usinglibipsecuserland ESP encryption) • Mac OS X App (usinglibipsecuserland ESP encryption) • Mac OS X (via commandline) • FreeBSD • OpenWrt • Supported Hardware Platforms (GNU autotools) • Intel i686/x86_64, AMD64 • ARM, MIPS • PowerPC • Supported Network Stacks • IPv4, IPv6 • IPv6-in-IPv4 ESP tunnels • IPv4-in-IPv6 ESP tunnels

  8. strongSwan on Raspberry Pi 11’000 kB/s Plaintext AES128-SHA1_96 2’300 kB/s 2’100 kB/s AES128-SHA256_128 1’500 kB/s AES192-SHA384_192 AES256-SHA512_256 1’400 kB/s • Performance measurementsetup • TwoRaspberry Pi hostsconnected via 100 Mbit/s Ethernet • FTP downloadofan 18 MB file • NoAuthenticated Encryption (AEAD) Support • Unfortunatelytheefficient AES-GCM ESP algorithmfamilyis not enabled in thecurrentRaspberryPi kernel.

  9. Free Download from Google Play Store Sep 24 2013:6,605 installations

  10. Mac OS X App http://download.strongswan.org/osx/

  11. Modular Plugin-BasedArchitecture (29/84) • libstrongswanplugins aesaf_algagentblowfish ccm cmacconstraintsctrcurldesdnskeyfips_prfgcmgcryptgmphmackeychainldap md4 md5mysqlnonceopensslpadlockpempgppkcs1 pkcs11 pcks12 pkcs7 pkcs8pubkeyrandom rc2rdrandrevocation sha1 sha2 soupsqlitesshkeytest_vectorsunboundx509xcbc • libcharonplugins addrblockandroid_dnsandroid_logcertexpirecouplingdhcpduplicheckeap_aka eap_aka_3gpp2 eap_dynamiceap_qtceap_identity eap_md5 eap_mschapv2 eap_peapeap_radiuseap_simeap_simaka_pseudonymeap_simaka_reautheap_simaka_sqleap_sim_fileeap_sim_pcsceap_tlseap_tnceap_ttlserror_notifyfarp ha ipseckeykernel_libipsecledload_testerlookipmaemomedclimedsrvosx_attrradattrsmpsocket_defaultsocket_dynamicsqlstrokesystime_fixtnc_ifmaptnc_pdpuciunit_testerunityupdownwhitelistxauth_eapxauth_genericxauth_noauthxauth_pem • libhydraplugins attrattr_sqlkernel_klipskernel_netlinkkernel_pfkeykernel_pfrouteresolve • libtnccsplugins tnccs_11 tnccs_20 tnccs_dynamictnc_imctnc_imvtnc_tnccs

  12. Die strongSwan Open SourceVPN LösungOpen Source Trend Days 2013 Steinfurt Remote Access mit zertifikat-basierter Authentisierung

  13. IKEv2 Remote Access Scenario #ipsec.secretsforroadwarriorcarol : RSA carolKey.pem "nH5ZQEWtku0RJEZ6" #ipsec.secretsforgatewaymoon : RSA moonKey.pem #ipsec.conf for roadwarrior carol conn home keyexchange=ikev2 left=%any leftsourceip=%config leftcert=carolCert.pem leftid=carol@strongswan.org leftfirewall=yes right=192.168.0.1 rightid=moon.strongswan.org rightsubnet=10.1.0.0/16 auto=start #ipsec.conf for gateway moon conn rw keyexchange=ikev2 left=%any leftsubnet=10.1.0.0/24 leftcert=moonCert.pem leftid=moon.strongswan.org leftfirewall=yes right=%any rightsourceip=10.3.0.0/24 auto=add

  14. IKEv2 Connection Setup carol 05[ENC] generating IKE_SA_INIT request [SA KE No N(NATD_S_IP) N(NATD_D_IP)] 05[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] 06[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] 06[ENC] parsed IKE_SA_INIT response [SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ] 06[ENC] generating IKE_AUTH request [IDi CERT CERTREQ IDr AUTH CP SA TSi TSr] 06[NET] sending packet: from192.168.0.100[4500] to192.168.0.1[4500] 07[NET] received packet: from192.168.0.1[4500] to192.168.0.100[4500] 07[ENC] parsed IKE_AUTH response [IDr CERT AUTH CP SA TSi TSr N(AUTH_LFT)] 07[IKE] installing new virtual IP 10.3.0.1 07[AUD] established CHILD_SA successfully moon 05[NET] received packet: from 192.168.0.100[500] to 192.168.0.1[500] 05[ENC] parsed IKE_SA_INIT request [SA KE No N(NATD_S_IP) N(NATD_D_IP)] 05[ENC] generating IKE_SA_INIT response [SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ] 05[NET] sending packet: from 192.168.0.1[500] to 192.168.0.100[500] 06[NET] received packet: from192.168.0.100[4500] to192.168.0.1[4500] 06[ENC] parsed IKE_AUTH request [IDi CERT CERTREQ IDr AUTH CP SA TSi TSr] 06[IKE] peer requested virtual IP %any 06[IKE] assigning virtual IP 10.3.0.1 to peer 06[AUD] established CHILD_SA successfully 06[ENC] generating IKE_AUTH response [IDr CERT AUTH CP SA TSi TSr N(AUTH_LFT)] 06[NET] sending packet: from192.168.0.1[4500] to192.168.0.100[4500]

  15. IKEv2 Configuration Payload carol carol> ip addr list dev eth0 eth0: inet 192.168.0.100/24 brd 192.168.0.255 scope global eth0 inet 10.3.0.1/32 scope global eth0 carol> ip route list table 220 10.1.0.0/24 dev eth0 proto static src 10.3.0.1 • A virtual IP requested and obtained through leftsourceip=%configis directly configured by strongSwan via the RT Netlink socket moon moon> ip addr list eth0: inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0 eth1: inet 10.1.0.1/16 brd 10.1.255.255 scope global eth1 moon> ip route list table 220 10.3.0.1 dev eth0 proto static src 10.1.0.1 • If a host has an internal interface which is part of the negotiated traffic selectors then this source address is assigned to tunneled IP packets.

  16. Volatile RAM-based IP Address Pools • Configuration in ipsec.conf conn rw ... rightsourceip=10.3.0.0/24 auto=add • Statistics ipsec leases Leases in pool 'rw', usage: 2/255, 2 online 10.3.0.2 online 'dave@strongswan.org' 10.3.0.1 online 'carol@strongswan.org' • Referencing and sharing a volatile pool conn rw1 ... rightsourceip=%rw auto=add

  17. Persistent SQL-based IP Address Pools I • SQLite database table definitions cd strongswan-x.y.z cptesting/hosts/default/etc/ipsec.d/tables.sql /etc/ipsec.d • Creation of SQLite database cat /etc/ipsec.d/tables.sql | sqlite3 /etc/ipsec.d/ipsec.db • Connecting to the SQLite database # /etc/strongswan.conf - strongSwan configuration file libhydra { plugins { attr-sql { database = sqlite:///etc/ipsec.d/ipsec.db } } }

  18. Persistent SQL-based IP Address Pools II • Pool creation ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.0.254 --timeout 48 allocating 254 addresses... done. • Configuration in ipsec.conf conn rw keyexchange=ikev2 ... rightsourceip=%bigpool auto=add • Statistics ipsec pool –-status name start end timeout size online usage bigpool 10.3.0.1 10.3.0.254 48h 254 1 ( 0%) 2 ( 0%) ipsec pool --leases --filter pool=bigpool name address status start end identity bigpool 10.3.0.1 online Oct 22 23:13:50 2009 carol@strongswan.org bigpool 10.3.0.2 valid Oct 22 23:14:11 2009 Oct 22 23:14:25 2009 dave@strongswan.org

  19. Die strongSwan Open SourceVPN LösungOpen Source Trend Days 2013 Steinfurt Remote Access mit RADIUS-basierter Authentisierung

  20. RADIUS-Based Authentication #ipsec.secretsforroadwarriorcarol carol: EAP "Ar3etTnp" #ipsec.secretsforgatewaymoon : RSA moonKey.pem #ipsec.conf for roadwarrior carol conn home keyexchange=ikev2 left=%any leftsourceip=%config leftauth=eap eap_identity=carol right=moon.strongswan.org rightid=moon.strongswan.org rightauth=pubkey rightsubnet=0.0.0.0/0 auto=start #ipsec.conf for gateway moon conn rw keyexchange=ikev2 left=%any leftauth=pubkey leftsubnet=10.1.0.0/24 leftcert=moonCert.pem leftid=moon.strongswan.org right=%any rightsendcert=never rightauth=eap-radius rightsourceip=%radius eap_identity=%any auto=add

  21. RADIUS Configuration • /etc/strongswan.conf on gatewaymoon charon { plugins { eap-radius { secret= gv6URkSs server= 10.1.0.10 accounting = yes } } } • /etc/freeradius/users on RADIUS serveralice carolCleartext-Password := "Ar3etTnp" Framed-IP-Address= 10.3.0.1 daveCleartext-Password := "W7R0g3do" Framed-IP-Address= 10.3.0.2

  22. RADIUS Accounting • AccountingRecord Wed Jul 31 21:28:31 2013 Acct-Status-Type = Stop Acct-Session-Id = "1375306104-1" NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 1 NAS-Port-Id = "rw-eap" NAS-IP-Address = 192.168.0.1 Called-Station-Id = "192.168.0.1[4500]" Calling-Station-Id = "192.168.0.100[4500]" User-Name = "carol" Framed-IP-Address = 10.3.0.1 Framed-IPv6-Prefix = fec3::1/128 Acct-Output-Octets = 7100 Acct-Output-Packets = 5 Acct-Input-Octets = 7100 Acct-Input-Packets = 5 Acct-Session-Time = 6 Acct-Terminate-Cause = User-Request NAS-Identifier = "strongSwan" Acct-Unique-Session-Id = "5716061d9f73b686" Timestamp = 1375306111

  23. Die strongSwan Open SourceVPN LösungOpen Source Trend Days 2013 Steinfurt Nahtlose LAN Integration von RemoteAccess Clients

  24. LAN Integration via DHCP and ARP #ipsec.secretsforroadwarriorcarol : RSA carolKey.pem "nH5ZQEWtku0RJEZ6" #ipsec.secretsforgatewaymoon : RSA moonKey.pem #ipsec.conf for roadwarrior carol conn home keyexchange=ikev2 left=%any leftsourceip=%config leftcert=carolCert.pem leftid=carol@strongswan.org leftfirewall=yes right=192.168.0.1 rightid=moon.strongswan.org rightsubnet=0.0.0.0/0 auto=start #ipsec.conf for gateway moon conn rw keyexchange=ikev2 left=%any leftsubnet=10.1.0.0/24 leftcert=moonCert.pem leftid=moon.strongswan.org leftfirewall=yes right=%any rightsourceip=%dhcp auto=add

  25. DHCP Server Configuration • strongswan.conf on gatewaymoon charon { plugins { dhcp { server = 10.1.255.255 } } } • The farpanddhcppluginsarerequiredforthe LAN usecase

  26. DHCP Server Configuration • dhcpdconfigurationfile on DHCP Server venus ddns-update-style none; subnet10.1.0.0 netmask 255.255.0.0 { option domain-name "strongswan.org"; option domain-name-servers 10.1.0.20; optionnetbios-name-servers 10.1.0.10; optionrouters 10.1.0.1; option broadcast-address 10.1.255.255; next-server 10.1.0.20; range10.1.0.50 10.1.0.60; } hostcarol { optiondhcp-client-identifier "carol@strongswan.org"; fixed-address10.1.0.30; } hostdave { optiondhcp-client-identifier "dave@strongswan.org"; fixed-address10.1.0.40; } • Eitherstaticordynamicaddressassignment

  27. strongSwan SOHO Lösung für Windowsnetze www.revosec.ch

  28. Die strongSwan Open SourceVPN LösungOpen Source Trend Days 2013 Steinfurt Network Access Control

  29. BYOD – Bring Your Own Device • Security Issues • Users do not protect access to their devices or use weakpasswords or login methods. • Users download and install dangerous software packagescontaining malware from unknown sources. • Users do not regularly apply security updates to the installed software packages and operating system. • Users run server applications potentially giving third parties accessto the corporate network and/or sensitive data • Malware might embed itself into the operating system, modifyingsystem commands and libraries.

  30. Android BYOD with Network Access Control • Attribute Requests allow CorporateNetwork NAC PolicyEnforcement Point NAC Server block Policy Manager Android 4 Devicewith NAC Client isolate • Measurement Results Isolation Network

  31. Trusted Network Connect (TNC) Architecture RFC 5792 RFC 5793 RFC 6876 VPN Client VPN Gateway Lying Endpoint

  32. Layered TNC Protocol Stack • IF-T Transport ProtocolPT-TLS (RFC 6876) or PT-EAP [NET] received packet: from 152.96.15.29[50871] to 77.56.144.51[4500] (320 bytes) [ENC] parsed IKE_AUTH request 8 [ EAP/RES/TTLS ] [IKE] received tunneled EAP-TTLS AVP [EAP/RES/TNC] • IF-M Measurement ProtocolPA-TNC (RFC 5792) [TNC] received TNCCS batch (160 bytes) for Connection ID 1 [TNC] PB-TNC state transition from 'Init' to 'Server Working' [TNC] processing PB-TNC CDATA batch [TNC] processing PB-Language-Preference message (31 bytes) [TNC] processing PB-PA message (121 bytes) [TNC] setting language preference to 'en‘ • IF-TNCCS TNC Client-Server ProtocolPB-TNC (RFC 5793) [TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001 [IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1 [TNC] processing PA-TNC message with ID 0xec41ce1d [TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002 [TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004 [TNC} processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008 • TNC Measurement Data [IMV] operating system name is 'Android' from vendor Google [IMV] operating system version is '4.2.1‘ [IMV] device ID is cf5e4cbcc6e6a2db

  33. strongSwan Android VPN Client

  34. Allow Download from Unknown Sources

  35. Install Blacklisted Android Web Server Package

  36. Minor Non-Compliance: Isolate Client

  37. TNC MetadataAccess Point (MAP) Protocol MAP-Client IRON Project FH Hannover (MAP-Server)

  38. Start the Android Web Server

  39. Major Non-Compliance: Block Client

  40. strongTNC Policy Manager https://github.com/strongswan/strongTNC

  41. Measurement Policies and Enforcements Currently supported policy types: • PWDEN Factory Default Password Enabled • FWDEN ForwardingEnabled • TCPOP TCP Ports allowedtobe Open Closed Port Default Policy • TCPBL TCP Ports tobeBlockedOpen Port Default Policy • UDPOP UDP Ports allowedtobeOpen ClosedPort Default Policy • UDPBL UDP Ports tobeBlockedOpen Port Default Policy • PCKGS Installed Packages • UNSRC UnknownSources • SWIDT Software ID (SWID) Tag Inventory • FREFM File Reference Measurement SHA1/SHA256 Hash • FMEAS File Measurement SHA1/SHA256 Hash • FMETA File MetadataCreate/Modify/Access Times • DREFM Directory Reference Measurement SHA1/SHA256 Hashes • DMEAS Directory MeasurementSHA1/SHA256 Hashes • DMETA Directory MetadataCreate/Modify/Access Times

  42. Add/Edit Policies

  43. Define Enforcements

  44. TNC Summary • The TNC protocols have become Internet Standards • The TNC protocols are platform-independent and allow interoperability • The TNC protocols support trustworthy TPM-based remote attestation • The strongSwan BYOD Showcase demonstrates that TNC isready for use • The strongTNC policy manager bases measurements on pastclient behaviour

  45. Danke für dieAufmerksamkeit! Fragen?www.strongswan.org

More Related